First Time Criminal Charges Are Filed Against Known State Actors for Hacking

A grand jury in the Western District of Pennsylvania (WDPA) indicted five Chinese military hackers for computer hacking, economic espionage and other offenses directed at six American victims in the U.S. nuclear power, metals and solar products industries.

The indictment alleges that the defendants conspired to hack into American entities, to maintain unauthorized access to their computers and to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises (SOEs). In some cases, it alleges, the conspirators stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen. In other cases, it alleges, the conspirators also stole sensitive, internal communications that would provide a competitor, or an adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.

“This is a case alleging economic espionage by members of the Chinese military and represents the first ever charges against a state actor for this type of hacking,” U.S. Attorney General Eric Holder said. “The range of trade secrets and other sensitive business information stolen in this case is significant and demands an aggressive response. Success in the global market place should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”

“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” said FBI Director James B. Comey. “The indictment announced today is an important step. But there are many more victims, and there is much more to be done. With our unique criminal and national security authorities, we will continue to use all legal tools at our disposal to counter cyber espionage from all sources.”

“State actors engaged in cyber espionage for economic advantage are not immune from the law just because they hack under the shadow of their country’s flag,” said John Carlin, Assistant Attorney General for National Security. “Cyber theft is real theft and we will hold state sponsored cyber thieves accountable as we would any other transnational criminal organization that steals our goods and breaks our laws.”

“This 21st century burglary has to stop,” said David Hickton, U.S. Attorney for the Western District of Pennsylvania. “This prosecution vindicates hard working men and women in Western Pennsylvania and around the world who play by the rules and deserve a fair shot and a level playing field.”

Summary of the Indictment

Defendants : Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, who were officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA). The indictment alleges that Wang, Sun, and Wen, among others known and unknown to the grand jury, hacked or attempted to hack into U.S. entities named in the indictment, while Huang and Gu supported their conspiracy by, among other things, managing infrastructure (e.g., domain accounts) used for hacking.

Crimes : Thirty-one counts as follows (all defendants are charged in all counts).

Count(s)

Charge

Statute

Maximum Penalty

1

Conspiring to commit computer fraud and abuse

18 U.S.C. § 1030(b).

10 years.

2-9

Accessing (or attempting to access) a protected computer without authorization to obtain information for the purpose of commercial advantage and private financial gain.

18 U.S.C. §§ 1030(a)(2)(C), 1030(c)(2)(B)(i)-(iii), and 2.

5 years (each count).

10-23

Transmitting a program, information, code, or command with the intent to cause damage to protected computers.

18 U.S.C. §§ 1030(a)(5)(A), 1030(c)(4)(B), and 2.

10 years (each count).

24-29

Aggravated identity theft.

18 U.S.C. §§ 1028A(a)(1), (b), (c)(4), and 2

2 years (mandatory consecutive).

30

Economic espionage.

18 U.S.C. §§ 1831(a)(2), (a)(4), and 2.

15 years.

31

Trade secret theft.

18 U.S.C. §§ 1832(a)(2), (a)(4), and 2.

10 years.

Summary of Defendants’ Conduct Alleged in the Indictment

Defendant

Victim

Criminal Conduct

Sun

Westinghouse

In 2010, while Westinghouse was building four AP1000 power plants in China and negotiating other terms of the construction with a Chinese SOE (SOE-1), including technology transfers, Sun stole confidential and proprietary technical and design specifications for pipes, pipe supports, and pipe routing within the AP1000 plant buildings.Additionally, in 2010 and 2011, while Westinghouse was exploring other business ventures with SOE-1, Sun stole sensitive, non-public, and deliberative e-mails belonging to senior decision-makers responsible for Westinghouse’s business relationship with SOE-1.

Wen

SolarWorld

In 2012, at about the same time the Commerce Department found that Chinese solar product manufacturers had “dumped” products into U.S. markets at prices below fair value, Wen and at least one other, unidentified co-conspirator stole thousands of files including information about SolarWorld’s cash flow, manufacturing metrics, production line information, costs, and privileged attorney-client communications relating to ongoing trade litigation, among other things. Such information would have enabled a Chinese competitor to target SolarWorld’s business operations aggressively from a variety of angles.

Wang and Sun

U.S. Steel

In 2010, U.S. Steel was participating in trade cases with Chinese steel companies, including one particular state-owned enterprise (SOE-2). Shortly before the scheduled release of a preliminary determination in one such litigation, Sun sent spearphishing e-mails to U.S. Steel employees, some of whom were in a division associated with the litigation. Some of these e-mails resulted in the installation of malware on U.S. Steel computers. Three days later, Wang stole hostnames and descriptions of U.S. Steel computers (including those that controlled physical access to company facilities and mobile device access to company networks). Wang thereafter took steps to identify and exploit vulnerable servers on that list.

Wen

ATI

In 2012, ATI was engaged in a joint venture with SOE-2, competed with SOE-2, and was involved in a trade dispute with SOE-2. In April of that year, Wen gained access to ATI’s network and stole network credentials for virtually every ATI employee.

Wen

USW

In 2012, USW was involved in public disputes over Chinese trade practices in at least two industries. At or about the time USW issued public statements regarding those trade disputes and related legislative proposals, Wen stole e-mails from senior USW employees containing sensitive, non-public, and deliberative information about USW strategies, including strategies related to pending trade disputes. USW’s computers continued to beacon to the conspiracy’s infrastructure until at least early 2013.

Sun

Alcoa

About three weeks after Alcoa announced a partnership with a Chinese state-owned enterprise (SOE-3) in February 2008, Sun sent a spearphishing e-mail to Alcoa. Thereafter, in or about June 2008, unidentified individuals stole thousands of e-mail messages and attachments from Alcoa’s computers, including internal discussions concerning that transaction.

Huang

Huang facilitated hacking activities by registering and managing domain accounts that his co-conspirators used to hack into U.S. entities. Additionally, between 2006 and at least 2009, Unit 61398 assigned Huang to perform programming work for SOE-2, including the creation of a “secret” database designed to hold corporate “intelligence” about the iron and steel industries, including information about American companies.

Gu

Gu managed domain accounts used to facilitate hacking activities against American entities and also tested spearphishing e-mails in furtherance of the conspiracy.

An indictment is merely an accusation and a defendant is presumed innocent unless proven guilty in a court of law.

The FBI conducted the investigation that led to the charges in the indictment. This case is being prosecuted by the U.S. Department of Justice’s National Security Division Counterespionage Section and the U.S. Attorney’s Office for the Western District of Pennsylvania.

Good Morning. I am joined here by Assistant Attorney General for National Security John Carlin; U.S. Attorney for the Western District of Pennsylvania David Hickton; and Executive Director of the FBI Bob Anderson.

In his 2013 State of the Union Address, President Obama called the theft of corporate secrets by foreign countries and companies a real threat to our security and our economy.

We are here this morning to discuss a matter that proves this threat, warned about by the President, is all too real.

Today, we are announcing an indictment against five officers of the Chinese People’s Liberation Army for serious cybersecurity breaches against six American victim entities.

These represent the first ever charges against known state actors for infiltrating U.S. commercial targets by cyber means.

A federal grand jury in Pittsburgh has found that these five Chinese military officers conspired together, and with others, to hack into the computers of organizations in Western Pennsylvania and elsewhere in the United States.

The victim entities include Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated, U.S. Steel, the United Steelworkers Union and SolarWorld.

This is a case alleging economic espionage by members of the Chinese military.

The range of trade secrets and other sensitive business information stolen in this case is significant and demands and aggressive response.

The indictment alleges that these PLA officers maintained unauthorized access to victim computers to steal information from those entities that would be useful to their competitors in China, including state-owned enterprises.

In some cases, they stole trade secrets that would have been particularly beneficial to Chinese companies at the time they were stolen.

In others, they stole sensitive, internal communications that would provide a competitor, or adversary in litigation, with insight into the strategy and vulnerabilities of the American entity.

In sum, the alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States.

This is a tactic that the U.S. government categorically denounces. As President Obama has said on numerous occasions, we do not collect intelligence to provide a competitive advantage to U.S. companies, or U.S. commercial sectors.

Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security.

The success of American companies, since our nation’s founding, has been the result of hard work and fair play by our citizens.

This is how it ought to be across the globe. Success in the international marketplace should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets.

When a foreign nation uses military or intelligence resources and tools against an American executive or corporation to obtain trade secrets or sensitive business information for the benefit of its state-owned companies, we must say, ‘enough is enough.’

This Administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.

This case should serve as a wake-up call to the seriousness of the ongoing cyberthreat. These criminal charges represent a groundbreaking step forward in addressing that threat.

The indictment makes clear that state actors who engage in economic espionage, even over the Internet from faraway offices in Shanghai, will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.

With that, it is my pleasure to turn it over to Assistant Attorney General for National Security John Carlin.

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets

SUN KAILIANG

Aliases:

Sun Kai Liang, Jack Sun

DETAILS

On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The subjects, including Sun Kailiang, were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Sun, who held the rank of captain during the early stages of the investigation, was observed both sending malicious e-mails and controlling victim computers.

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets

WANG DONG

Aliases:

Jack Wang, “UglyGorilla”

DETAILS

On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The subjects, including Wang Dong, were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Wang controlled victim computers.

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets

WEN XINYU

Multimedia: Images

Aliases:

Wen Xin Yu, “WinXYHappy”, “Win_XY”, Lao Wen

DETAILS

On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The subjects, including Wen Xinyu, were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Wen controlled victim computers.

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets

HUANG ZHENYU

Aliases:

Huang Zhen Yu, “hzy_lhx”

DETAILS

On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The subjects, including Huang Zhenyu, were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Huang was a computer programmer who managed the domain accounts used by the others.

Conspiring to Commit Computer Fraud; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging Computers Through the Transmission of Code and Commands; Aggravated Identity Theft; Economic Espionage; Theft of Trade Secrets

GU CHUNHUI

Aliases:

Gu Chun Hui, “KandyGoo”

DETAILS

On May 1, 2014, a grand jury in the Western District of Pennsylvania indicted five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) for 31 criminal counts, including: conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain; damaging computers through the transmission of code and commands; aggravated identity theft; economic espionage; and theft of trade secrets.

The subjects, including Gu Chunhui, were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. The activities executed by each of these individuals allegedly involved in the conspiracy varied according to his specialties. Each provided his individual expertise to an alleged conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China. They then used their illegal access to allegedly steal proprietary information including, for instance, e-mail exchanges among company employees and trade secrets related to technical specifications for nuclear plant designs. Gu tested malicious e-mail messages and also managed the domain accounts used by the others.